- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: ProCurve 5406zl - Restricting VLAN to VLAN tra...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-03-2007 07:19 AM
тАО10-03-2007 07:19 AM
Restrict VLAN30 from accessing all vlans other than itself. This VLAn will be an Altiris Deployment Imaging VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN30 cannot access other VLANs except for VLAN1, which will allow VLAN30 to access the Internet.
Restrict VLAN40 from accessing all vlans other than itself. This VLAn will be a Guest VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN40 cannot access other VLANs except for VLAN1, which will allow VLAN40 to access the Internet.
Here is my switch config so far:
; J8697A Configuration Editor; Created on release #K.12.16
hostname "5406zl"
snmp-server contact "
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.20.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
voice
exit
To recap, I need an ACL example to restrict VLAN30 and VLAN40.
Any help will be much appreciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-03-2007 02:58 PM
тАО10-03-2007 02:58 PM
SolutionI noticed your IP address for VLAN 20 and VLAN 40 is the same, you'll need to correct that.
Once corrected, I believe the following ACLs should do the trick.
ip access-list extended Guest
deny ip any 10.2.10.0/24
deny ip any 10.2.20.0/24
deny ip any 10.2.30.0/24
deny ip any 10.2.50.0/24
permit ip any any
vlan 40
ip access-group Guest in
ip access-list extended Altiris
deny ip any 10.2.10.0/24
deny ip any 10.2.20.0/24
deny ip any 10.2.40.0/24
deny ip any 10.2.50.0/24
permit ip any any
vlan 30
ip access-group Altiris in
Matt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-04-2007 01:14 AM
тАО10-04-2007 01:14 AM
Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic
Easiest way to do this would be using "Source Port Filtering" where certain ports are only allowed to talk to certain other ports.
Restrict VLAN40 from accessing all vlans other than itself. This VLAn will be a Guest VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN40 cannot access other VLANs except for VLAN1, which will allow VLAN40 to access the Internet.
Same solution for this.
I have attached the part of the manual which deals with Source Port Filtering.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-04-2007 05:49 AM
тАО10-04-2007 05:49 AM
Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-04-2007 05:50 AM
тАО10-04-2007 05:50 AM